NASDAQ: FROG

Software and the Business Environment

Software’s role has changed from a functional tool to a cornerstone of nearly every company, dictating that the continuous development and release of software is now a mission-critical operation. Beyond providing competitive advantage for companies, the safety and security of data and operations is software-dependent and increasingly influenced by AI.

To meet this need, updating a feature of a software application or AI model, rather than releasing a new version of the entire application, ensures that current solutions are brought to market faster, allowing organizations to be more responsive to their customers’ needs, security concerns and corporate welfare.

The proliferation of open source software, AI and ML models and availability of newer and more efficient software development technologies such as Agentic AI and Generative AI, enable organizations to produce software at an increasing rate. However, with speed can come software supply chain complexity through disparate services, inadvertent adoption of malicious packages, introduced security vulnerabilities, unregulated containers, and unchecked deployment across hybrid and multi-cloud environments. Organizations’ existing approaches can create silos and bottlenecks around critical steps, such as planning, curating, building, testing, securing, and delivering intelligent software. The merging of new technologies with legacy approaches has placed significant strain on traditional software workflows, which are even further complicated by the introduction of these AI components.

The DevOps, DevSecOps, DevGovOps, MLOps, and AI Development Workflows

DevOps is a maturing discipline that integrates software development and operations, shortening, automating, and improving the software build and release workflow. DevOps is a combination of technologies, methodologies, and culture that powers a continuous, fast, and secure software release cycle. DevOps is increasingly influenced by AI, such as generative coding assistants and AI agents.

The DevSecOps workflow spans the DevOps workflow, but with the addition of security capabilities, including the planning, curating, coding, building, securing, and testing of software components by developers, to the secure releasing, deploying, operating, and monitoring of that software by operators. Sometimes dubbed “shifting left,” DevSecOps integrates security practices across the DevOps workflow for early detection of issues and ongoing software security throughout the software’s lifecycle. JFrog provides the common ground for software developers, security teams, and IT operators, making it integral to the DevOps and DevSecOps workflows to create trusted software releases. DevSecOps is emerging as a key use case for AI

5

Table of Contents

technologies, such as those that provide AI agent-driven remediation of security vulnerabilities or agents that provide contextualized security analysis.

Compounding the DevOps and DevSecOps workflows, increasing AI and MLOps processes combine the work of developers, AI agents, data scientists, and ML engineering teams who build, train, and deploy AI technologies - such as ML models - with operational motions that bring these models and AI-empowering technologies into production as part of applications.

“DevGovOps” is an emerging discipline and framework that aims to merge DevOps and DevSecOps practices with the evolving business needs of governance over software releases. DevGovOps aims to automate governance, policies, control gates and business operations around software delivery directly within existing software supply chain processes.

The convergence of DevOps, DevSecOps, DevGovOps, and AI/MLOps solutions into a foundational platform allows JFrog to address multiple processes simultaneously, enabling more rapid, intelligent, confident, and compliant application delivery across a business.

Code Versus Software Packages & Artifacts

Modern society heavily relies on software, and most individuals understand that software comes from code generated by software developers and, increasingly, AI agents and coding assistants. But software, in code form, doesn’t equate to an application. Code is built (i.e., transformed) into binary files (or “software packages” and “artifacts”) that allow it to run alongside other components as a complete application for consumers as it runs on a server or device. The vast majority of technologies today are built using only a small percentage of original source code written by developers or generative AI, with an estimated >80% of an application’s binaries (including containers, traditional software packages and AI/ML models) coming from open source, existing software. JFrog’s unified platform is designed to universally secure, manage and deploy all types of software artifacts within an organization, making it the system of record for an organization’s software, whether bespoke by hybrid development teams or consumed from a third party.

Increasingly, the need to manage software components is being heavily influenced by the emerging needs to manage ML models (and large language models), AI technologies, and their dependencies. The increasingly large volumes and complexity of packages within an organization’s software supply chain requires a new, systematic, AI agent-ready, and automated approach to trusted management of packages. Tracking and managing software at the package level enables organizations to make incremental updates to packages and models, delivering trusted software and bills of materials alongside their software releases. Universal package management allows software releases to be continuous, and capable of handling the volume, variety, security, and velocity of trusted software required today.

Our Platform

The JFrog Platform connects all of the processes involved in building and releasing software, enabling trust by offering a single source of truth for all software release inputs and outputs. We empower our customers to shorten their software and AI technology release cycles, and enable the continuous flow of current, secure, up-to-date software from any source to any distributed edge. Our platform is designed to be agnostic to the programming languages, source code repositories, public hubs, and development technologies that our customers use, as well as the type of production environments to which they deploy.

The JFrog Platform allows customers to compile software from source code repositories, curate the importation of external software packages and AI models, manage the dependencies among components within software packages, keep these packages under a single universal repository, manage and automate the usage of open source models, libraries and packages, scan for vulnerabilities through various stages and contexts, distribute to endpoints, and deploy securely to production, all through a single user access point or via model context protocol (“MCP”) functionality for AI agents. This complete process is often referred to as management and securing of the “software supply chain.”

Since JFrog’s inception with the creation of the software package management category (“JFrog Artifactory”), we have consistently innovated and added new solutions to expand the capabilities of our platform in demand of modern enterprises.

6

Table of Contents

The JFrog Platform

Solutions

JFrog Platform solutions enable enterprise DevOps, DevSecOps, and AI/MLOps development teams to efficiently and securely collaborate to deliver traceable and trusted software at near-infinite scale.

•
JFrog Artifactory. JFrog Artifactory provides core functionality to the JFrog Platform as the “single source of truth” for an organizations’ software artifacts. It allows teams and organizations to store, update, and manage software packages at any scale, ensuring all artifacts being deployed are current, secure, and trusted. As an AI Model Registry, Container Registry and universal binary manager, JFrog Artifactory supports all major software package technologies, and can be seamlessly deployed on public clouds, in multi-cloud environments, on-premises, in a private cloud, and across hybrid environments. JFrog Artifactory ensures consistency, trust, governance, and automation in the rapidly evolving software release process.

For data science and MLOps teams, JFrog Artifactory also manages AI/ML models - the fuel of expanding AI technologies - and their dependencies as part of a new generation of companies’ AI-driven applications. We believe JFrog uniquely unites AI-powered development with DevSecOps best practices to create a universal software supply chain across an organization.

•
JFrog Curation. JFrog Curation functions as a guardian outside the software development pipeline, controlling the admission of packages and AI models into an organization, primarily from open source or public repositories. These repositories are consistently subjected to novel supply chain attacks, leading many companies to seek a package “firewall” to protect against malicious activity. Customers use JFrog Curation to build policies around the entry or blocking of any software packages into a company’s repositories based on multiple factors such as age, version number, security risk, release timelines, target environments, and other metadata. JFrog Curation relies on the JFrog Catalog of open-source package information, with over 4 million unique packages and their advanced metadata available. JFrog Curation is an optional add-on as part of select JFrog Platform enterprise subscriptions, while JFrog AI Catalog is offered as an extension of JFrog Curation specifically designed for AI/ML models and technology curation.

•
JFrog Xray (Security Essentials). JFrog Xray continuously scans JFrog Artifactory to secure all software packages stored in it. JFrog Xray analyzes software packages at a binary level, utilizing the metadata stored in JFrog Artifactory to accurately uncover potential vulnerabilities, policy violations, and open source software license compliance issues. JFrog Xray also provides unique security information to customers that is derived from a dedicated security research team that uncovers vulnerabilities in public and private repositories.

•
JFrog Advanced Security. JFrog Advanced Security offers in-depth binary and contextual scanning to examine data that is not accessible via package managers, software bill of materials or typical metadata. Natively integrated with JFrog’s Artifactory binary repository and JFrog Xray’s software composition analysis solutions, JFrog Advanced Security

7

Table of Contents

capabilities, including source code scanning (“SAST”), secrets detection, contextual analysis, Infrastructure as Code (“IaC”) scanning, container scanning, malicious machine learning model detection IDE extension security, transitive contextual analysis, AI agentic remediation capabilities, MCP scanning, and more, offering holistic coverage for software supply chain security at scale. JFrog Advanced Security is an optional add-on functionality for select JFrog subscriptions.

•
JFrog Runtime Security. JFrog Runtime Security is an optional add-on for or included in select JFrog subscriptions that is designed to work seamlessly with other JFrog Security solutions. It offers insight into runtime environments (such as Kubernetes clusters), delivering full visibility and traceability of potentially compromising software components for DevOps and Security teams.

•
JFrog Distribution. JFrog Distribution provides reliable, scalable, and secure software package distribution with enterprise-grade performance. It uses proprietary technology to reliably distribute packages to multiple locations and update them as new release versions are produced. JFrog Distribution offers native support for the major package technologies, allowing for smooth integrations.

•
JFrog Connect. JFrog Connect is a connected device management solution that allows companies to manage software updates and monitor performance across Internet of Things (“IoT”) device fleets from anywhere in the world. JFrog Connect scales to automate secure software package delivery across the development-to-device lifecycle.

•
JFrog ML. JFrog ML is a platform-integrated solution designed for data science and AI/MLOps teams to transform and store data, build, train, secure, and deploy models, and monitor the entire Machine Learning and Artificial Intelligence pipelines (including public, bespoke, and large language models) as part of the JFrog Platform.

•
JFrog AI Catalog. The JFrog AI Catalog is offered as an extension of JFrog Curation functionality that allows companies to secure, govern, consume and deploy AI technologies, including first- and third-party ML models. This allows organizations to confidently build specialized AI-agentic solutions and integrate AI services into their software supply chains. JFrog’s partnership with Hugging Face (a leading public hub for ML models and AI-related software packages) allows in-workflow adoption of AI and ML models from the world’s largest open-source model hub, while ensuring security, compliance and governance over AI technologies.

•
JFrog AppTrust. JFrog AppTrust is an optional component within the JFrog Platform that provides companies with application risk governance to help address the growing demands of emerging “DevGovOps” requirements. AppTrust helps enterprises manage audit and compliance needs across their software supply chains, complete with cryptographically signed evidence across release requirements to help ensure quality, speed, and security needs are met.

Benefits to Our Customers

•
End-to-end, unified platform. We provide a central, unified platform for our customers’ software release needs with our universal package management solution, JFrog Artifactory, at its core and a portfolio of adjacent solutions including build integration, workflow automation, software supply chain security, and deployment. We designed our products to integrate with each other natively, with a unified user interface, as well as integrate easily with AI agents and other technologies via our MCP server. This allows organizations to effectively and efficiently manage the full software supply chain through access points best for the digital and human user in the era of AI.

•
A single source of truth for the digital organization. We designed JFrog Artifactory to be the only software package repository that an organization needs. By securely storing, monitoring, and distributing software packages created inside and outside an organization or by AI technologies, we provide a single, trusted local repository that any user within an organization can rely on, serving as the system of record for all of the software in an organization. JFrog Artifactory automatically caches updated software packages from both external and internal repositories, ensuring that an organization always has the latest, validated packages available.

•
Acceleration through automation. Our platform accelerates the software release cycle by enabling the automation of workflows across teams and providing tight coordination between development, security, data science, AI/ML and operations groups, removing silos within organizations’ software release processes. We seamlessly integrate with source code repositories to push software updates and to manage software package flows between all software release gates seamlessly and continuously, offering a uniquely efficient way to orchestrate software release from build to deploy.

8

Table of Contents

•
Fit-to-purpose hybrid and multi-cloud deployment. We empower organizations to release AI technologies and software applications that are execution-ready across any number of different production environments. JFrog cloud-native platform supports public cloud, on-premises, private cloud, multi-cloud, and hybrid deployments, helping organizations avoid vendor lock-in and allowing software developers, security, AI/ML teams, and IT operators across an organization to use our products in any chosen environment. Our unique model offers the same product in the cloud and on-premises, so users can work and deploy in any environment based on workload or business needs.

•
Scalable across the organization. Proprietary technology allows our platform to seamlessly scale across even the largest of customers and deployments. Our platform supports a wide variety of enterprise-scale storage and retention capabilities and also accommodates spikes in usage without compromised performance. The JFrog Platform supports High Availability cluster configuration, in which redundant components are created to maximize network uptime and can therefore seamlessly serve nearly any number of concurrent users, build servers, and human or agentic interactions.

•
Trusted and secure. We enable organizations to analyze software packages and AI technologies such as ML models for vulnerabilities, rapid, agentic remediation, license compliance, and quality issues in near real-time. Our fully integrated security solutions enable continuous automation of security policies from before a package enters the organization through to deployment to the runtime. Our platform embeds security into the DevOps and AI/MLOps work streams, creating a seamless DevSecOps and MLSecOps flow that allows organizations to have speed and control in the software release cycle. All software artifacts on our platform are fully traceable, ensuring the accuracy and reliability of software applications. To enhance application quality while minimizing risk, our security controls offer customizable governance policies to specific software packages and complete auditing capabilities and business impact analysis.

Business Model

We combine bottom-up and top-down approaches in our go-to-market model. The bottom-up approach is community focused, driving increased usage of our products, in which we focus on demonstrating the value that our products can provide to software developers, security teams, data scientists, and IT operators. Increasingly, we have adopted a top-down motion for full platform adoption that focuses on enterprise values for both new and expansion business. To support growth of large strategic customers, JFrog also empowers a direct sales team supported by dedicated DevSecOps technical staff. We strive to make software developers, security teams, AI/MLOps teams, and IT operators more efficient, effective, and productive, and create champions of JFrog in the process. In an increasingly AI-influenced development cycle, we continue to demonstrate criticality across digitally-hybrid teams that combine Generative AI and Agentic AI with traditional development, maximizing JFrog value.

•
Our go-to-market strategy.

o
Make software developers, security teams, AI/ML engineers, and IT operators successful. Our product innovation, thought leadership in software supply chain management and security, and knowledge sharing with software developer, security teams, AI/ML engineers, and IT operator communities engender trust that fuels increased usage of our products. We enable our users to stand out for the value they deliver to their organizations, making others within their organizations want to adopt our products to emulate their success.

o
Enable user freedom of choice. We are agnostic to the types of technologies a software developer or IT operator may choose to use, which we believe provides us with a competitive advantage. Our platform is designed to quickly and seamlessly add support for new package technologies and AI-powered frameworks as they arise.

o
Align pricing with value provided. Our free trials and open source software options provide low-friction entry points for software developers, security teams, and IT operators. Customers often upgrade to paid and higher-tiered subscriptions as they increase their usage of our products.

o
Provide best-in-class support. Our customer support and customer success teams provide extensive engineering-level support directly to software developers, security teams, machine learning engineers, and IT operators. Our customer support team is differentiated by the number of team members who have engineering backgrounds, which allows our customers to have consistent access to individuals with intimate technical knowledge of our products and of the different technologies and protocols with which they integrate.

o
Directly support strategic accounts. Our strategic sales team focuses on accounts with high expansion potential to deliver more customized experiences and dedicated approaches. This is often a top-down approach or executive-level relationship that ensures JFrog is consistently meeting the needs of top-tier customers with high scalability requirements.

9

Table of Contents

o
Expanding partnerships and go-to-market motions. We are expanding JFrog’s channel strategy throughout the world, with a focus on emerging markets and localized buying patterns. We believe that in addition to our traditional direct-sales business, channel expansion will drive growth by giving specific industry verticals and geographies purchase options that are flexible to their localized needs. Specifically with public cloud providers, we believe that enhancing our partnership relationships and channel strategy may be a significant contributor to JFrog’s growth.

•
Multiple tiers of subscriptions. Our subscription structure is aligned with the way we have built our product platform, with JFrog Artifactory at the core of each subscription and a portfolio of specific solutions and services that differ by subscription tier. Our pricing model aligns the value we deliver with our customers’ needs as they dynamically scale to match technology adoption and autonomous technologies.

•
Technology partnership ecosystem. Our extensive integrations with technologies across the software development and AI ecosystems power significant extensibility of our platform and offer our customers the ability to use external software development technologies of their choice on our platform, driving increased customer affinity and product stickiness.

Multi-Tiered Subscription Offerings

We offer our products to customers through a multi-tiered subscription structure. Our current paid subscription tiers include JFrog Pro, JFrog Pro X, JFrog Enterprise X, and JFrog Enterprise Plus.

•
JFrog Pro. JFrog Pro is cloud-only subscription that provides access only to the universal version of JFrog Artifactory and ongoing updates and upgrades. It includes Container Registry and ML Model Registry capabilities.

•
JFrog Pro X. JFrog Pro X is a self-managed-only subscription that provides the same features as JFrog Pro with the addition of JFrog Xray basic scanning functionality and license compliance, along with service-level agreement (“SLA”) support.

•
JFrog Enterprise X. JFrog Enterprise X provides the same features as JFrog Pro X with the addition of High Availability cluster configuration, federated repositories, multi-region replication, and JFrog Mission Control, enabling larger enterprise-scale deployments, and SLA support as well as deeper security features. JFrog Enterprise X customers are also able to purchase suites of JFrog security and/or IoT products and are granted access to JFrog and GitHub integrations including GitHub Copilot and GitHub Advanced Security integrations designed for a single platform experience for developers. Optional functionality may include advanced management for AI/ML development lifecycles and AI Catalog functionality

•
JFrog Enterprise+ (Enterprise Plus). JFrog Enterprise Plus provides the same features as JFrog Enterprise X, with the addition of JFrog Distribution, Access Federation, private content delivery network cloud capabilities, and private edge nodes. JFrog Enterprise Plus is our full platform subscription option, delivering our entire suite of products and functionality, as well as Private Distribution Network capabilities. JFrog Enterprise Plus customers are also able to purchase the full suite of JFrog security and/or IoT products and are granted access to JFrog and GitHub integrations, including GitHub Copilot and GitHub Advanced Security integrations designed for a single platform experience for developers. Optional functionality may include advanced management for AI/ML development lifecycles and AI Catalog functionality, as well as advanced DevGovOps functionality for customers seeking to enhance their application risk governance posture

•
JFrog ML, with features to help data science and ML engineering teams build, test and deploy ML models into the software development pipeline, is available to Enterprise X and Enterprise Plus customers.

•
Additional, optional subscription components.

o
JFrog Advanced Security, with functionality for SAST, IaC scanning, container scanning, contextual analysis, agentic remediation, transitive dependency scanning, AI code validation and more, is available through optional, add-on subscription for Enterprise X and Enterprise Plus subscribers, as well as through private offers in the cloud marketplaces.

o
JFrog Runtime Security, with functionality that provides in-depth security monitoring and analysis of production environments, is available as an optional, add-on subscription for customers already utilizing JFrog Advanced Security.

o
JFrog Curation functions as a guardian outside the software development pipeline, controlling the admission of packages into an organization, primarily from open source or public repositories. JFrog’s AI Catalog is an optional addition to JFrog Curation in some subscriptions, extending curating and access policy management to AI and ML technologies.

10

Table of Contents

o
JFrog Connect functionality for IoT devices is available for separate purchase as a means to control updates and deployments to device fleets.

o
“Unified Security,” “Ultimate Security,” “Unified MLOps,” and “Ultimate MLOps” bundles create feature-level purchasing options for customers, who wish to focus on specific product capabilities that enhance their business.

We have an unwavering commitment to the software developer, AI/MLOps teams, security teams, and IT operator communities, and demonstrate this commitment by offering varying forms of free access to our products in addition to the paid subscriptions described above. This free access takes the form of free trials and open source software and helps generate demand for our paid offerings within these communities.

•
Free trials. We offer time-limited free trials of our platform that allow prospective customers to test the full functionality of a JFrog subscription within their environments or in the cloud. At the end of this trial period, prospective customers must pay for a subscription in order to continue utilizing JFrog services. Community, free services include a limited version of Artifactory as well as a community version for C/C++ developers (Conan).

•
Platform tours. We offer environments with pre-populated data and streamlined experiences to allow prospective customers the ability to securely test-drive functionality without requiring their own data.

•
Open source. Our open source offering is a limited functionality version of JFrog Artifactory that only supports Java-based software packages, and does not support organization-wide adoption by DevOps teams.

Growth Strategies

We intend to pursue the following growth strategies:

•
Extend our technology leadership. We expect to continue to invest in building new capabilities and extending our platform to bring the power of software supply chain management to a broader range of use cases, including maturation of security solutions for DevSecOps, expansion of AI-enabling technologies including MLOps, and continuing to enable DevOps solutions for distributing to the edge. Additionally, we believe acquiring new technologies to complement our organic innovation efforts may help us rapidly adapt to address the evolving needs of the market and drive increased value for our customers.

•
Expand within our existing customer base. We have demonstrated a differentiated ability to retain customers, expand existing customer usage, and cross-sell a broader set of products and features within an organization. Our net dollar retention rate of 119% as of December 31, 2025, highlights the increasing value of our products to our customer base. While maintaining our self-service and inbound sales model, we intend to continue to expand our strategic sales team to identify new use cases and drive expansion and standardization on JFrog’s Software Supply Chain Platform.

•
Acquire new customers. Our free trial subscription options and open source version of JFrog Artifactory increase software developer, security and IT operator familiarity with our products, and allow for low-friction product adoption. AI-powered and MLOps functionality may expose JFrog solutions to new audiences such as AI/machine learning Engineers and Data Scientists. DevGovOps functionality may allow us to penetrate high-budget departments within legal, compliance and governance organizations. Additionally, we have steadily grown our international presence since inception and intend to continue to expand regionally as AI, DevOps and DevSecOps practices are increasingly adopted around the world.

•
Expand and develop our technology partnership ecosystem. We have designed our platform to work with the major package technologies and source code tooling providers, and to be deployed in any environment, allowing our technology partners to better serve their customers. We also intend to cultivate and leverage channel and alliance partners, including cloud providers, to grow our market presence and drive greater sales efficiency.

Customers

During 2025, we revised our customer logo methodology to eliminate friction for our customers and sales teams to better align with global go-to-market practices, which resulted in the consolidation of certain organizations with multiple subsidiaries into a single entity. As of December 31, 2025, we had a global customer base of approximately 6,600 organizations across all industries and sizes, including approximately 83% of Fortune 100 organizations.

11

Table of Contents

As of December 31, 2025, 1,168 of our customers had annual recurring revenue (“ARR”) of $100,000 or more, increasing from 1,018 customers as of December 31, 2024, accounting for 77% and 72% of our ARR, respectively. We had 74 customers with ARR of at least $1.0 million as of December 31, 2025, increasing from 52 customers as of December 31, 2024. For the year ended December 31, 2025, our 10 largest customers represented approximately 9% of our total revenue. Additionally, approximately 40% of our revenue was generated from customers outside of the United States. All references to our customers included in this Annual Report refer to paying customers.

Technology

Our proprietary technology, fueled by our optimized database architecture, enables best-in-class reliability, scalability, and performance.

Our technology includes the following key attributes:

•
Universal package management. The center of our platform, JFrog Artifactory, stores software packages and manages the metadata from major package technologies, including Docker, OCI, Debian, RPM, Go, Helm, Kubernetes, NPM, NuGet, Python, Java, Rust, NVIDIA NIM, and ML models and datasets. Our platform is designed to quickly and seamlessly add support for new package technologies as they arise, ensuring a comprehensive view of an organization’s software supply chain.

•
Curated public repositories. JFrog Artifactory automatically queries third-party repositories and allows organizations to exert choice and governance in the software packages they cache. This enables our customers to better maintain control and security via the blacklisting or whitelisting of certain components. Additionally, our partnership with Hugging Face allows for a seamless experience for developers looking to secure and pull AI technologies and software packages from a world-standard ML hub.

•
Rich metadata. Every package in JFrog Artifactory is stored and referenced using metadata, including dependencies, author, and date modified. We utilize our proprietary technology to store and index metadata, allowing it to be queried for multiple uses such as package promotion, tagging, security, and more, which enables automation. This metadata is critical for organizations meeting new strict software bill of materials requirements.

•
Checksum-based storage. A checksum is a sequence of numbers and letters that serves as a “digital fingerprint.” Each package has a unique checksum that is stored as a file and referenced by JFrog Artifactory, significantly reducing the amount of data needed within JFrog Artifactory or when copying software packages to remote sites or replicating repositories, making it substantially faster than traditional approaches.

•
High Availability. Our High Availability configuration allows multiple JFrog product nodes to be deployed as a redundant cluster to reduce reliance on any single node, ensuring that there can be no single-point-of-failure. Importantly, our High Availability configuration allows customers to update our products with the latest versions with little to no downtime, as each node is updated one at a time.

•
Enterprise-class security and compliance. Organizations can use our platform to help manage the integrity of software being deployed by digitally signing packages and binary files. Groups, API tokens, users, and other characteristics can all be managed from various points within multiple data centers, alongside real-time access replication.

•
Advanced security scanners. Scanners that analyze the actual exploit risk of a vulnerability, in-context, based on the environment under which it exists and minimize security "noise" for developers so that they can focus on fixing the impactful issues. Scanners include Contextual Analysis, Service and Application Exposures, SAST, IaC Analysis and Secrets Detection.

•
Machine learning security. Scanners that identify malicious behavior or vulnerabilities embedded in ML model files of different formats. Scanners can also suggest AI-generated remediation actions to users upon detection of a security issue.

•
Machine learning filtering. JFrog AI Catalog enables users to identify and control the ML models used within the organization. By using AI Catalog as a database of open source models and their advanced metadata, AI Catalog applies policies to govern the usage of ML models across projects and supports both file models and service models that are controlled through a Gateway.

12

Table of Contents

•
Package admission filtering. JFrog Curation acts as a firewall for open source and third party packages coming from public repositories. By using JFrog Catalog as a database of open source packages and their advanced metadata, Curation applies policies to govern the admission of new package versions into the company’s repositories.

•
Trusted, governed software supply chain releases. JFrog AppTrust controls the lifecycle of software releases across the software supply chain. By defining applications, lifecycle promotion control points and policies, the progression of software releases is managed across different maturity phases and checked for policy compliance. Signed evidence in Artifactory, including evidence originating from third parties, are used to evaluate and record promotion decisions.

•
Hierarchical graph of software packages. By tracking against a database of known vulnerabilities, our platform provides continuous security and analysis of software packages in the development environment, making it less likely for vulnerable components to reach production.

•
Easy user extensions. Workers allow customers to extend the functionality of our platform, providing a simple way to add functionality and react to platform events by executing custom code that runs in a secure sandbox.

•
Global federation of repositories. The ability to have bi-directional content synchronization across multi-site, globally distributed repositories, used for disaster recovery and geo-location transparency.

•
Machine learning lifecycle management. End-to-end platform for development of ML applications and management of their versioned software components, including model and dataset registry, feature store, security scanning, model experiment tracking, model promotion, deployment, serving and monitoring.

Marketing and Sales

Marketing

JFrog’s marketing approach is a dual-pronged effort to both enable and empower users in a bottoms-up motion, as well as enterprise level or “top-down” approach for broad platform adoption at a strategic company level. Our community-focused approach to marketing prioritizes increasing the effectiveness of software developers, security teams, AI/ML engineers, data scientists and IT operators. We empower these technologies to release software faster and more securely, and in the process create champions of our products who are well-positioned to demonstrate the value of JFrog to their broader organizations. These communities can easily engage with our products through free trials and open source software before deciding to use them on a paid basis.

Our enterprise-level and geography-focused field marketing functions support our strategic sales team, providing an account-based approach to drive expansion of JFrog solutions amongst our largest customers and prospects. Additionally, we engage with prospective end-users through user-centered events, including JFrog swampUP, our annual, global DevOps, DevSecOps, DevGovOps and MLOps user conference, hands-on training events, persona-driven events, and co-marketing activities with technology partners and large cloud platforms.

Sales

Flexible self-service, inbound and strategic enterprise sales approaches make it easy for customers to try, adopt, and use our products in a way most advantageous for them, creating a highly efficient sales motion. Our customers can start with an open source version of JFrog Artifactory, free trial subscription options, or land directly with one of our paid subscription tiers. Our open source and free trial options provide low-friction entry points for customers, who often upgrade to paid and higher-tiered subscriptions as they increase their usage of our products through the identification of new use cases, the need for additional functionality, or the adoption of our products by new teams or in new geographies. Once a user has decided to use our products beyond what is available in open source or at the end of a free trial, they can upgrade to one of our paid subscriptions, which are priced based on number of servers or consumption to align the value we deliver with our customers’ needs as they scale.

Our customer success teams are focused on enabling organizations to realize the full benefits of our platform by helping them advance DevOps, DevSecOps, DevGovOps, and MLOps practices and promoting the adoption of additional products and more advanced functionality of our platform. We intend to continue to expand our strategic sales team to identify new use cases and drive expansion and standardization on JFrog within our largest customers.

13

Table of Contents

Competition

We compete in the DevOps, DecSecOps, AI/MLOps and emerging DevGovOps markets on the basis of a number of factors, including:

•
ability to provide an end-to-end, unified platform for secure software supply chain workflows;

•
ability to provide security solutions across software developers and enterprise workflows;

•
ability to provide machine learning operation solutions across enterprise workflows;

•
ability to provide compliance and governance automation embedded within enterprise workflows;

•
breadth of technologies we support;

•
breadth of technology integrations;

•
total cost of ownership;

•
extensibility across organizations, including software developers, security teams, AI/ML engineers, data scientists, and IT managers;

•
ability to enable collaboration between software developers, security teams, and IT operators;

•
ability to deploy our products in any combination of cloud, multi-cloud or on-premises environments;

•
performance, security, scalability, and reliability in tandem;

•
quality of customer experience and satisfaction;

•
quality of customer support;

•
ease of implementation and use; and

•
brand recognition and reputation.

Our products are available for self-managed, software-as-a-service (“SaaS”), multi-cloud, and hybrid deployments. While we believe we compete successfully on the above factors, particularly with regards to the comprehensive nature of our solutions, we do experience competition in each of these categories with different vendors:

•
Home grown solutions. Over time, many companies built solutions in-house for specific use cases they uniquely required. Often, these solutions do not scale or were not designed to meet the needs of modern software delivery methodologies or technologies.

•
DevOps and developer-focused vendors. Many companies address only certain parts of the DevOps cycle and may compete with a limited set of JFrog offerings, including Microsoft’s GitHub, GitLab, Cloudsmith, and Sonatype.

•
Cloud providers. While also partners, cloud providers, such as Amazon Web Services (“AWS”), Microsoft Azure (including Azure DevOps) and Alphabet Inc.’s Google Cloud, may compete with a subset of JFrog functionality.

•
Security point solutions. Some security-focused companies may compete with a subset of JFrog’s holistic security offerings or address only developer-level security, such as Aqua Security, Snyk, Sonatype, and Black Duck.

Additionally, we may compete with start-up and open source technologies across the categories described above. Many of our competitors have greater financial, technical, and other resources, greater brand recognition, larger sales forces and marketing budgets, broader distribution networks, diverse product and services offerings, and larger and more mature intellectual property portfolios. They may be able to leverage these resources to gain business in a manner that discourages customers from purchasing

14

Table of Contents

our offerings. Furthermore, we expect that our industry will continue to attract new investments, including smaller emerging companies, which could introduce new offerings. We may also expand into new technology or geographical markets and encounter additional competitors in such markets.

Research and Development

Our research and development organization is responsible for the design, development, testing, and delivery of new technologies, features, and integrations of our platform, as well as the continued improvement and iteration of our existing products. Our most significant investments in research and development are to drive core technology innovation and bring new products to market. Research and development employees are located primarily in our Israel and India offices.

Our research and development team consists of our architects, software engineers, security experts, DevOps engineers, AI/ML experts, product management, quality assurance, and data collection teams. We intend to continue to invest in our research and development capabilities to extend our platform and products.

Intellectual Property

Our success depends in part on our ability to protect our intellectual property. We rely on a combination of copyrights and trade secret laws, patents, confidentiality procedures, employment agreements, license agreements, invention assignment agreements, and trademarks to establish and protect our intellectual property rights, including our proprietary technology, software, know-how, and brand.

As of December 31, 2025, we hold a number of active patents and have filed patent applications both in the U.S. and in other countries. Our patent applications may result in the issuance of a patent or the examination process may require us to narrow our claims. Our patents issued may be contested, circumvented, found unenforceable or invalidated, and we may not be able to prevent third parties from infringing them. In addition, we have international operations and intend to continue to expand these operations, and effective patent, copyright, trademark, and trade secret protection may not be available or may be limited in foreign countries.

We control access to, and use of, our proprietary technology and other confidential information through the use of internal and external controls, including contractual protections with employees, contractors, customers, and partners, and our software is protected by U.S. and international copyright and trade secret laws. We require our employees, consultants, and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation, and other proprietary information. Our policy requires employees and independent contractors to sign agreements assigning to us any inventions, trade secrets, works of authorship, developments, and other processes generated by them on our behalf and agreeing to protect our confidential information. In addition, we generally enter into confidentiality agreements with our customers and partners. See Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K for a more comprehensive description of risks related to our intellectual property.

Although we utilize intellectual property rights, as well as contractual protections to establish and protect our proprietary rights, we believe that the technological and creative skills of our personnel, creation of new modules, features, functionality, products, and frequent enhancements to our platform are more essential to establishing and maintaining our technology leadership position.

Government Regulations

Our business activities are subject to various federal, state, local and international laws, rules and regulations. For example, we are subject to numerous laws, directives, and regulations regarding privacy, data protection, and data security and the collection, storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other data. In addition, in some cases, our software is subject to export control laws and regulations, including the Export Administration Regulations administered by the U.S. Department of Commerce, and our activities may be subject to certain trade and economic sanctions. Compliance with these laws, rules and regulations has not had, and is not expected to have, a material effect on our capital expenditures, results of operations and competitive position as compared to prior periods. For additional information about government regulation applicable to our business, see Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K.

Employees and Human Capital

Our Board of Directors and its committees share oversight of our human capital management strategy. We conduct talent reviews as well as annual succession planning and the Board of Directors receives updates from senior management regarding succession planning, management talent assessment, and employee attrition. The Compensation Committee of the Board oversees

15

Table of Contents

our approach to human capital and our overall compensation philosophy, policies, and programs, ensuring their respective alignment with our human capital strategy. The Audit Committee of the Board reviews with management our ethics and compliance programs for human capital and workplace-related issues. The Nominating and Corporate Governance Committee oversees our approach to diversity as part of its broader oversight of our sustainability strategy and initiatives.

As of December 31, 2025, we had a total of approximately 1,800 employees globally, including approximately 950 employees located in Israel and approximately 400 employees in the United States. None of our employees are represented by labor unions or, except for our employees in France and Spain, is covered by collective bargaining agreements.

Recruiting, Training and Development

Our human capital objectives include, as applicable, identifying, recruiting, retaining, incentivizing and integrating our existing and new employees and consultants. We attract new employees by advertising on our JFrog careers website and on LinkedIn, as well as leveraging our employee referral program, and when necessary, engaging external recruiting partners. In order to meet our professional development objectives, we have implemented several formal and informal cross-company training programs to train new managers and employees with the skills to embark on a successful career at JFrog. In addition to annual performance reviews and merit-based compensation, we also encourage employees and their managers to maintain an open dialogue on progress throughout the year. Moreover, we focus on providing each employee a career path and professional development opportunities.

Everyone Counts, Everyone Matters

We recognize and view equality as key to our success. We strive to foster a culture where all of our employees feel they are respected and treated equally, regardless of gender, race, ethnicity, ancestry, color, age (40 and above), disability, sexual orientation, gender identity, gender expression, marital status, national origin, veteran status, pregnancy, reproductive health decision making, HIV/AIDS status, cultural background, religious belief, genetic information status, or domestic violence status. We aim to foster a workplace culture that values different perspectives, provides fair treatment for all employees, and creates opportunities for everyone to contribute and advance.

We continue to support equal opportunity in hiring and conduct mandatory non-discrimination and anti-harassment training for all employees. For example, our workforce is diverse both in ethnicity and gender, including and up to the highest level of management, where three of our 10-member board of directors and four of our 11-member executive management team are women.

Compensation and Benefits

Our compensation policy is designed to attract, retain, and reward personnel. In addition to competitive base salaries and other cash compensation, we offer equity incentive plans that align the interest of our employees with our shareholders by motivating individuals to perform to the best of their abilities and achieve our business objectives, thereby driving the success of our company and increasing shareholder value.

Workforce Health and Safety

In addition to traditional employee benefits, we have implemented a number of initiatives to support the well-being, safety and health of our employees. We provide comprehensive health and wellness benefits appropriate for each jurisdiction in which we have employees. Additionally, we are committed to workplace safety and security through office maintenance, employee training, and emergency protocols.

Corporate Information

We were incorporated under the laws of the State of Israel on April 28, 2008. We are registered with the Registrar of Companies under the company number 514130491. Our main place of business in the United States is located at 270 E. Caribbean Drive, Sunnyvale, California 94089. Our telephone number at this address is (408) 329-1540. Our registered office is located at 3 HaMachshev Street, Netanya, 4250465, Israel. Our telephone number at this address is + 972 (9)-894-1444. Our agent for service of process in the United States is JFrog, Inc.

“JFrog,” our logo, and our other registered or common law trademarks, service marks or trade names appearing in this Annual Report on Form 10-K are the property of JFrog Ltd. Other trademarks and trade names referred to in this Annual Report on Form 10-K are the property of their respective owners.

16

Table of Contents

Available Information

Our website address is https://www.jfrog.com, our investor relations website is https://investors.jfrog.com, our blog https://www.jfrog.com/blog and our X account is @JFrog. We have used, and intend to continue to use, our website, investor relations website, our blog and X accounts as a means of disclosing material non-public information and for complying with our disclosure obligations under Regulation FD. More specifically, such disclosures will be included on our investor relations website under the heading “News” from time to time. Accordingly, investors should monitor such portions of our website. In addition, the following filings are available through our investor relations website after we file them with the SEC: Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, current reports on Form 8-K, and our Proxy Statement for our annual meeting of shareholders. These filings are also available for download free of charge on our investor relations website. The SEC also maintains an Internet website that contains reports, proxy statements and other information about issuers, like us, that file electronically with the SEC. The address of that website is https://www.sec.gov.

We webcast our earnings calls and certain events in which we participate or host with members of the investment community on our investor relations website. Additionally, we provide notifications of news or announcements regarding our financial performance, including SEC filings, investor events, press and earnings releases, and blogs as part of our investor relations website. Further corporate governance information, including our corporate governance guidelines, global code of business conduct and ethics, and committee charters is also available on our investor relations website. Information contained on, or that can be accessed through, the websites provided does not constitute part of this Annual Report on Form 10-K or in any other report or document we file with the SEC, and inclusions of website addresses in this Annual Report on Form 10-K are inactive textual references only.

17

Table of Contents